Upgrading SharePoint apps from Azure Access Control service to Azure Active Directory
Summary
TLDRThis video script explains the transition from Access Control Services (ACS) to Azure Active Directory (Azure AD) for applications interacting with SharePoint Online. It demonstrates how to upgrade existing solutions, create a new Azure AD application, and authenticate using an X509 certificate, ultimately enabling granular permission control and modern development techniques.
Takeaways
- 😀 Microsoft retired ECS (External Content Services) in November 2018, and it is recommended to upgrade to Azure Active Directory for new solutions.
- 🔒 ACS is an old authentication model based on ADIN, which is outdated. Modern development should rely on Azure Active Directory for application registration.
- 📈 Azure Active Directory allows for granular selection of permissions, such as resource-specific permissions, for consuming SharePoint Online sites or content.
- 📝 To upgrade from ACS to Azure AD, create a new Azure Active Directory application, generate an X509 certificate for authentication, and configure API permissions.
- 🔄 Refactor code from using ACS client ID and secret to Azure AD Open Authorization and a client ID with a certificate.
- 📑 Demonstrated how to register an application in Azure ACS through the SharePoint Online tenant page, obtaining a client ID, client secret, and configuring permissions.
- 💻 Showed an example of a C# application using the PMP framework to interact with SharePoint Online, including reading a document library title and uploading a document.
- 🔑 Explained how to register a new application in Azure AD using PMP PowerShell, generating a self-signed certificate and associating it with the application.
- 📋 Discussed how to grant permissions to the newly registered application in Azure AD, specifying the tenant and user credentials for authentication.
- 🔗 Provided a step-by-step guide on how to consume SharePoint Online using an Azure AD registered application, including reading a document library title and uploading a document.
- 🔄 Highlighted the process of registering the application image and using the authentication manager with the certificate, client ID, and tenant ID to authenticate and interact with SharePoint Online.
Q & A
What is the primary reason for upgrading from Access Control Services (ACS) to Azure Active Directory (Azure AD)?
-The primary reason for upgrading from ACS to Azure AD is that ACS is an older service based on an outdated development model. Microsoft retired ECS in November 2018 and recommends using Azure AD for new solutions and upgrading existing solutions to the newer model.
Why should new solutions not use Access Control Services (ACS)?
-New solutions should not use ACS because it is an outdated authentication model that is no longer supported for new development. Azure AD provides a more modern and secure approach to application authentication and access control.
What is the role of an X509 certificate in the context of SharePoint Online and Azure AD?
-An X509 certificate is used for app-only authentication with SharePoint Online. It is required to authenticate the application providing it with the necessary permissions to interact with SharePoint Online resources.
How can you create a new Azure AD application?
-You can create a new Azure AD application by registering it in the Azure portal, providing details such as the application name, redirect URI, and other necessary configurations.
What permissions are needed for an application to consume SharePoint Online?
-The application needs API permissions that allow it to access and manipulate SharePoint Online resources. These permissions can be configured during the application registration process in Azure AD.
How does the PMP framework help in developing applications that consume SharePoint Online?
-The PMP framework provides a set of packages and tools that accelerate the development process of applications that consume SharePoint Online. It helps manage configuration settings and streamlines the authentication process.
What is the purpose of the app settings JSON file in the provided example?
-The app settings JSON file in the example is used to store configuration settings for the application, such as the site URL, list ID, client ID, client secret, and other necessary details for connecting to SharePoint Online.
How can you upgrade an existing ACS-registered application to use Azure AD?
-To upgrade an existing ACS-registered application to use Azure AD, you need to create a new Azure AD application, generate an X509 certificate for authentication, configure the necessary API permissions, and refactor your code to use Azure AD authentication instead of ACS.
What is the significance of the tenant ID in the context of Azure AD application registration?
-The tenant ID is a unique identifier for the Azure AD tenant where the application is registered. It is used to associate the application with the correct Azure AD tenant and manage permissions and access control.
How does the authentication manager instance help in accessing SharePoint Online resources?
-The authentication manager instance, created using the client ID, certificate, and tenant ID, facilitates the authentication process with Azure AD. It enables the application to obtain a client context that can be used to access and manipulate SharePoint Online resources.
Outlines
🔒 Upgrading to Azure Active Directory
The first paragraph discusses the transition from Access Control Services (ACS) to Azure Active Directory (Azure AD) for application authentication. It explains that ACS is an outdated service retired by Microsoft in 2018 and recommends upgrading to Azure AD for new solutions. The paragraph outlines the process of creating a new Azure AD application, generating an x509 certificate for authentication, configuring API permissions, and refactoring code to use Azure AD's OAuth and client certificates. A demo is provided to illustrate how to interact with SharePoint Online using an application-only account.
🚀 Implementing Azure AD in SharePoint Online
The second paragraph demonstrates how to implement Azure AD in SharePoint Online. It shows how to register a new application in Azure AD using PMP PowerShell, generate an x509 certificate, and grant permissions to the application. The process involves creating a certificate, registering the application in Azure AD, and granting API permissions. The paragraph also includes a practical example of how to consume SharePoint Online using an application registered in Azure AD, highlighting the steps to read a document library's title and upload a document.
🔗 Final Steps for Azure AD Integration
The third paragraph focuses on the final steps to integrate Azure AD with SharePoint Online. It details how to use a certificate to authenticate against Azure AD, create an authentication manager instance, and access SharePoint Online resources. The paragraph provides a comprehensive example of how to read the title of a document library and upload a document using an Azure AD registered application. It concludes with instructions on how to register the application image and authenticate using the authentication manager with the client ID, certificate, and tenant ID.
Mindmap
Keywords
💡Azure Active Directory
💡Access Control Services
💡SharePoint Online
💡Application Only Account
💡x509 Certificate
💡API Permissions
💡Client ID and Client Secret
💡PNP Framework
💡Authentication Manager
💡PowerShell
Highlights
Using an application-only account with Azure Active Directory for interacting with SharePoint Online.
Microsoft retired Azure Access Control Services (ACS) in November 2018, and it is recommended to upgrade to Azure Active Directory (AAD).
Azure ACS is based on an old authentication model for SharePoint, and modern development techniques should use Azure AD application registration.
Azure AD allows for granular selection of permissions through resource-specific consent or delegated permissions.
Upgrading from ACS to AAD involves creating a new Azure AD application and using an x509 certificate for authentication.
Configuration of API permissions is required to consume SharePoint Online with Azure AD.
Code refactoring is necessary to move from client ID and client secret in ACS to client ID with a certificate in Azure AD.
A demo is provided showing how to upgrade from ACS to Azure AD using a C# application.
Creating an Azure AD application can be done using PnP PowerShell with the Register-PnPAzureADApp cmdlet.
The cmdlet generates an x509 certificate, registers the application in Azure AD, and configures permissions.
The example application demonstrates reading the title of a document library and uploading a document to SharePoint Online using Azure AD.
The application reads settings from an appsettings.json file and uses the PnP framework for development.
Authentication in the upgraded application is done using the client ID, tenant ID, and the certificate's thumbprint.
The upgraded application achieves the same functionality as the old ACS-based application but with modern authentication methods.
Additional resources and links are provided for further learning about upgrading to Azure AD.
Transcripts
foreign
access control services to Azure active
directory registered applications the
use case for this scenario is when you
want to create a demo or a background
application which will interact with
elevated permissions with SharePoint
online and you will not use any specific
user account but you want to use an
application only account the options
available nowadays to realize this kind
of scenario are using a major access
control services registered application
in a specific Target tenant or an Azure
active directory registered application
so let me try to explain you why you
should use Azure directory and in case
you have an access control services
register application you should upgrade
it to Azure ID first of all Azure access
control services is now what there is an
old service based on an old development
model in fact Microsoft retired ECS in
November 2018. it is still available for
SharePoint online but you should not use
it anymore in new Solutions and you
should upgrade your existing solutions
to the new model which is the one based
on Azure active directory moreover the
Azure ACS is a model is an
authentication model for application
which is based on the Adin model of
SharePoint which is now kind of an old
model and nowadays you should rely on
new modern development techniques and
again one more time on Azure active
directory application registration where
for example you can also leverage the
resource specific content or
decide.selected permissions which allow
you to have a really granular selection
of permissions whenever you need to
consume a SharePoint online site or
content so how can you actually upgrade
from ACS to AED well first of all you
need to reduce history new Azure active
directory application you need to create
an x519 certificate for the
authentication in fact SharePoint online
for app only requires you to
authenticate providing an x509
certificate you have to configure the
API permissions that you will need with
your application in order to consume
SharePoint online and then you will need
to refactor a bit your code in order to
move from the old school client ID and
client secret and ACS to the new school
of azure active directory open
authorization and a client ID with a
certificate so let me move to the demo
environment and let me show you how you
can do that in practice
so imagine that we have an application
that we already registered in Azure ACS
the registration goes through the
upright new page of your target
SharePoint online tenant and you will
get back a client ID a client secret and
you have to provide the title an app
domain and then a direct URI for your
application once you've done that you
can retrieve through the app inventory
up in dot SPX page under digital point
admin UI your application doing a lookup
by client ID and you will be able to
configure a custom set of permissions
like you can see here right here when we
provide an application permission of
type full control to this application
meaning that it will have access to all
of the site collections in maintenance
with full control rides and then we have
a side collection this one from ACS 3ad
apps in which I have a document Library
the default one and I want to write an
application to read the title of this
document library and to upload the
document into the document Library so we
can do that using a c-sharp application
for example here I have an application
in which I'm using some packagings like
the PMP framework for example to speed
up the development process consuming
SharePoint online and I'm using some
other packages to manage the
configuration setting of my application
in fact my settings I will have this URL
of the site that I want to consume the
title of the list or library that I want
to consume the client ID and the client
secret of my application
as such when I will execute my
application which is about net 6
application I will need to read the
configuration from the app settings Json
file I will translate the Json settings
into a fully type object and then using
a PMP framework I can create an
authentication manager instance and I
can do the get ACS upon the context the
providing URL of the target side the
client ID and the client secret I will
get back a client context object of
system of decline side of the model of
SharePoint online and then using season
I can get a list by title providing the
title of my list I can do the load of
the list including the title so that by
executing the query asynchronously
against the SharePoint online I will get
back the title of my list I can create a
random file content with random text
inside of it and I can upload the file
again as synchronously in the root
folder of my target Library simply
specifying a random file name based on a
guide and that's it so this is a very
simple example that we want to upgrade
from ACS to Azure ID so if I will run
this application even if it is a very
simple one
we can see that in a matter of few
seconds we will have our console
application running and we will get back
the title of the target document library
and the document will be created in the
Target document library in fact if I
refresh this Library we can see that now
we have a new file that I just created
simple as that now let's make the
assumption that we want to upgrade the
solution to Azure active directory we
can easily register a new application in
Azure ID simply relying on PMP power
shell and specifically we can use the
register PMP Azure ID app command letter
providing the application name which
will be the name of the application that
will be registered in Azure ID we can
provide this store where we want to save
generated risk 509 certificate which
will be created by the CMD LED and
uploaded to Azure active directory and
Associated to our application in nature
active directory with have to specify
the target tenant as you can see right
here as well as the username and the
password to access the target 10 and
register the application and the
password will be provided through a
prompt to the user as well as we can
specify a certificate password which
will be used to protect the private key
on the certificate and again here I'm
using a prompt for the user and now I'm
going to say the dot serum.pfx files
Associated to the auto generated file of
my certificate into the current part so
by executing this CMD layer
we will have to provide first of all the
credentials of the user that want to use
to register my application and then I
will have to provide a password which
should be strong enough secure enough to
protect the private key of my
certificate
the CMD let will start creating the
certificate and storing the certificate
in the certificate store then it will
create the application initial active
directory and will wait up to 60 seconds
for the app to be ready and then it will
launch the web UI to Grant the
permissions that will be automatically
granted by the CMD led to the
application created I don't want to
waste your time so I will speed up the
recording while waiting for the 60
seconds
and here we are now we will have a web
prompt to Grant the permissions to our
newly registered application
first of all we need to pick a user
account to use in order to do the grant
of the permissions and we will have to
provide a password for that users and
once we have done that we will be able
to Grant the permissions automatically
added to the application registrations
by the CMB LED if you like using
additional Arguments for the CMD letter
you can choose the permission that you
want to Grant targeting either
SharePoint online permissions or
micrograph permissions right now I'm
using default permissions I'm accepting
to Grant those permissions to my app and
in a matter of few seconds now we're
ready the page is done don't care about
this kind of response but now the
application is registered and in fact if
I will go to Azure active directory we
can see that we have my application
registered I can click on it and we can
see
yet we have an application with a
specific client ID and directory ID we
can click on the certificate and secret
to see the certificate that has been
generated automatically by the CMD let
and if we go to API permissions we can
see the permissions granted to the
application as you can see right here so
it is now time to consume one more time
SharePoint online the same side
collection as before but now using the
Azure ID registered application the
application is almost the same as before
we still have an app settings.json file
where we specify still the site URL the
list ID the client ID and this time the
tenant ID and the certificate thumb
print which we can get back from the
certificate that was generated then
instead of
using an instance of authentication
manager to create the client context
based on the ACs credentials we rather
read the certificate that we want to use
to authenticate against Azure active
directory providing the Target store the
store location and the thumbprint of the
certificate which we can read from the
settings of our application and then we
create a new instance of the
authentication manager using this
Factory method which is create with
certificate which will accept the client
ID the certificate and the Tenant ID by
doing that the authentication manager
will allow us to invoke the get context
method to still get a client context of
season and since we have a client
constant we can then do exactly what we
did before in the previous sample and we
can read the title of the document
library and we can upload a document
into the target document Library so at
the very end we simply need to register
the application image ready you can do
that using the PNP power shares emulator
or you can do it manually as you can
read through the article Associated to
this video and once you have got the
application registered and the
certificate created for you you can
authenticate using the authentication
manager providing that certificate the
client ID and the Tenant ID you get the
context and you are good to go that's
the replacement you need to do to
upgrade your solution just for the sake
of completeness let me run this
application as like as I did with the
previous one so now we have yet another
console application running we get
the title of the library and we just
uploaded a new document in the Target
library in fact if we go back here and
we refresh now we have two documents
instead of one and the last one was
created few seconds ago
here you can find additional links if
you want to dig into this topic and
thanks for watching this video
[Music]
تصفح المزيد من مقاطع الفيديو ذات الصلة
Understanding Resource Specific Consent for Microsoft Graph and SharePoint Online
Creating custom copilot with Copilot Studio based on your files in SharePoint
Azure Mini / Sample Project | Development of Azure Project with hands-on experience. Learn in lab.
Azure DevOps Workload Identity Federation with Azure Overview. NO MORE SECRETS!
Functionality and Usage of Key Vault - AZ-900 Certification Course
AZ-140 ep02 | Configure Active Directory | Azure AD DNS
5.0 / 5 (0 votes)